Vetted Skills Marketplace
50+ security-scanned skills, one-click install. We vet every skill because 341 malicious ones were found in the OpenClaw ecosystem.
The 341 Malicious Skills Problem
In early 2026, security researchers discovered 341 malicious skills in the OpenClaw ecosystem. These skills were published to the community registry and looked legitimate — web search tools, productivity helpers, integration connectors. But hidden in their code were instructions to steal API keys, exfiltrate conversation data, inject hidden system prompts, and redirect LLM requests to attacker-controlled servers.
This is a supply chain attack. The same class of vulnerability that hit npm (event-stream), PyPI (malicious packages), and VS Code extensions. And in the OpenClaw ecosystem, it is particularly dangerous because skills run with the same permissions as the agent — they can access everything the agent can access.
If you self-host OpenClaw, you have to vet every skill yourself. Read the source code, check for obfuscated payloads, verify that network requests go where they should, and repeat this process for every update. Most users do not do this. Most users install skills and hope for the best.
How Our Vetting Works
KiwiClaw's Skills Marketplace only includes skills that have passed our security review process. Here is what that looks like.
Code review — Every skill is manually reviewed by our team. We read the source code, check for data exfiltration, verify API endpoints, and flag suspicious patterns. Obfuscated code is rejected automatically.
Permission analysis — We document exactly what each skill can do: which APIs it calls, what data it accesses, whether it requires network access. This information is displayed on the skill's marketplace page so you can make informed decisions.
Sandboxed testing — Skills are tested in isolated environments to verify they behave as documented. We check for hidden network requests, unexpected file access, and system prompt injection.
Ongoing monitoring — Skills are re-reviewed when updated. If a skill update introduces suspicious behavior, it is pulled from the marketplace immediately.
What Skills Are Available
The marketplace includes 50+ skills across several categories:
- Web and search — Brave Search, Google Search, web browsing, website monitoring, RSS feeds
- Productivity — Calendar management, task tracking, note-taking, file management
- Communication — Email sending, Slack messaging, Discord bots, Telegram integration
- Development — GitHub integration, code review, CI/CD triggers, documentation generation
- Data — CSV processing, database queries, API connectors, data visualization
- Content — Image generation, PDF processing, document formatting, translation
New skills are added regularly. If you need a skill that does not exist yet, request it — we prioritize based on demand.
One-Click Install
Installing a skill takes one click. Go to the Skills page in your dashboard, find the skill you want, click Install, and it is immediately available to your agent. No configuration files to edit, no packages to install, no restarts required.
Removing a skill is equally simple. Click Remove and the skill is uninstalled instantly. Your agent's capabilities adapt in real time.
FAQ
What are OpenClaw skills?
Skills are plugins that extend your AI agent's capabilities. A web search skill lets the agent browse the internet. A code execution skill lets it run Python. A Slack skill connects it to your workspace. Skills are the building blocks that make OpenClaw agents powerful — but they also represent a security surface.
Why is skill vetting important?
Security researchers found 341 malicious skills in the OpenClaw ecosystem — skills that steal API keys, exfiltrate data, or inject hidden instructions. When you self-host, you have to vet every skill yourself. KiwiClaw's marketplace only includes skills that have passed security review, so you can install with confidence.
Can I install custom skills not in the marketplace?
Enterprise customers can request custom skill reviews and installations. For Standard and BYOK plans, we recommend using marketplace skills for security. If you need a skill that does not exist yet, contact us — we review and add new skills regularly.